* frm chrisat_private "09/05/01 16:18:10 -0700" | sed '1,$s/^/* /' * * * 1. when we've entertained authoritative hooks, we've never entertained * capturing short-circuit returns for code well-above the hook. so code * that looks like: * * if (some_check()) * return -EYOUVEBEENVERYBAD; * do(); * a(); * bunch(); * of(); * stuff(); * * if (!perms_ok && !capable(EVIL_STUFF)) * return -EPERM; * ret = security_ops->hook_goes_here(); * if (ret) * return ret; * * would never catch the 'some_check' short-circuit, even in the proposed * authoritative hook scheme. In this case some_check() tends to not be access control related (its often argument validation). * * 2. the short circuit that is localized to the restrictive hook, can * be used as an authoritative hook if you override the in-kernel check * in your capable() check. * * if (!perms_ok && !capable(EVIL_STUFF)) * return -EPERM; * ret = security_ops->hook_goes_here(); * if (ret) * return ret; * * so you will never hit the 'return -EPERM' short-circuit if you override * the perms_ok check with capable(). so if capable(EVIL_STUFF) returns * TRUE, you will not hit the short-circuit (you just gave the capability). * * now you enter the lsm hook. you have two choices here. 1) recalculate * the in-kernel check (i've called perms_ok). 2) utilize the fact that * you only called in capable if you failed perms_ok, so you already know * that !perms_ok == 1. as you can see, the ways that perms_ok could fail * do not effect the returned error (-EPERM) so you don't necessarily need * to know exactly which bit of the perms were bad (unless that's what you * want to audit...in which case you have to redo the check). * I spent a just a few minutes looking, and its not sufficient simply to override the return of capable, the value returned would have to be dependent on what capability was being checked, returning zero for some values, doing a real capable check in others. And we'd still have to move the in-kernel code into the module to capture the error code as there are places that return different errno's depending on the code path. Problems vfs_permission() sys_setpriority() sys_setgroups() sys_sethostname() sys_setdomainname() I got bored looking then :-) * * -chris richard. ----------------------------------------------------------------------- Richard Offer Technical Lead, Trust Technology, SGI "Specialization is for insects" _______________________________________________________________________ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 16:49:25 PDT